Hi,
I have following set of certificates with X509 extensions defined for code
signing in PKCS7 format.
Root CA - Key usage (critical): Certificate Sign, CRL Sign
CVC Sub-CA - Key usage (critical): Certificate Sign, CRL Sign
CVC cert - Key usage(critical): Digital Signature, Key Encipherment. Extended
Key Usage(critical): Code Sigining
PKCS#7 signature includes CVC sub-CA and CVC certs. When I verify the signature
using PKCS7_verify() I am getting
error: "unsupported certificate purpose"
As a work-around suggested by Dr.Stephen I tried setting purpose to any and it
works fine using following command line:
openssl smime -verify -CAfile Root-CA -purpose any -inform PEM -in pk7blob
-content data-signed
But fails when using Openssl API's and the error is
X509_STORE_CTX_purpose_inherit: unknown purpose id.
Following is the code snippet. Most of it is taken from PKCS7_verify() itself
in pkcs7_smime.c
void my_verify_api(PKCS7 *pkcs7, unsigned char *signed_data, int s_len)
{
/* Root CA */
static unsigned char my_root_ca[900]={......};
BIO *bio_t;
const unsigned char *der_cert = my_root_ca;
X509_STORE *cert_store = NULL;
X509 *x509 = NULL;
STACK_OF(X509) *signers;
X509 *signer;
X509_STORE_CTX cert_ctx;
int i, k, num_signers;
if (!bio_t = BIO_new_mem_buf((void *)signed_data, s_len))) {
printf("BIO_new_mem_buf failed\n\n");
goto end;
}
OpenSSL_add_all_algorithms();
x509 = d2i_X509(NULL, &der_cert, sizeof(my_root_ca));
if (x509 == NULL) {
printf("x509 is NULL.\n");
goto end;
}
cert_store=X509_STORE_new();
if (cert_store == NULL) {
printf("Failed to create new cert store using X509_STORE_new().\n");
goto end;
}
X509_STORE_add_cert(cert_store,x509);
signers = PKCS7_get0_signers(pkcs7, NULL, 0);
if (!signers) {
printf("Error getting signers--\n");
goto end;
}
num_signers = sk_X509_num(signers);
printf("num_signers: %d\n", num_signers);
for (k = 0; k < num_signers; k++) {
signer = sk_X509_value(signers, k);
if (!X509_STORE_CTX_init(&cert_ctx, cert_store, signer,
pkcs7->d.sign->cert)) {
printf("X509_STORE_CTX_init failed.\n");
sk_X509_free(signers);
goto end;
}
X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_ANY);
i = X509_verify_cert(&cert_ctx);
X509_STORE_CTX_cleanup(&cert_ctx);
if (i <= 0) {
unsigned long e;
const char *file = NULL, *data = NULL;
int line, flgs;
while ((e = ERR_get_error_line_data(&file, &line, &data, &flgs))) {
printf("Error: %d\nError String: %s\n", e, ERR_error_string(e,
NULL));
if (data) {
printf("data: %s\n", data);
}
}
ERR_clear_error();
sk_X509_free(signers);
goto end;
} else {
printf("Certificate got verified--\n\n");
}
}
sk_X509_free(signers);
end:
if (x509 != NULL) {
X509_free(x509);
}
if (cert_store != NULL) {
X509_STORE_free(cert_store);
}
if (bio_t) {
BIO_flush(bio_t);
BIO_free_all(bio_t);
}
EVP_cleanup();
}
Am I doing something wrong here?
Any help is appreciated.
Thanks,
Prkj
